Certified in The Art of Hacking - Day 5

by @edent | , , , , | 1 comment

Logo for QA's certified in the art of hacking course.

This is a diary of what I've learned. Hopefully it will let other learners know what the course is like, and if it is worthwhile. Oh, and it might just help me remember what I'm learning! Verdicts Some of the lab tasks were impossible without looking at the cheat sheet. I got stuck on one…

Full Disclosure: XSS in Getty Images

by @edent | , , , | 3 comments | Read ~569 times.

Javascript popup on the Getty Images website.

I've spent two months trying to report this issue to Getty images. They haven't responded to my emails, phone calls, Tweets, or LinkedIn messages. I've tried escalating through OpenBugBounty and HackerOne - but still no response. I've taken the decision to fully disclose this XSS because the Getty Images sites accept payments from users -…

Responsible Disclosure: [REDACTED] XSS

by @edent | , , | Read ~184 times.

A pop-up on a website. The HTML code shows the data has been injected.

Legacy websites are a constant source of vulnerabilities. In a fit of excitement, a team commissions a service and then never bothers updating it. Quite often the original owners leave the business and there's no-one left who remembers that the service exists. So it sits there, vulnerable, for years. The [REDACTED] website had a subdomain…

Responsible Disclosure: Content Injection flaw in Gett's Website

by @edent | , , , | Read ~178 times.

A basic form asking for users' credit card details.

Bit of a boring write-up, but here we go. Taxi app Gett had a content injection flaw in its search function. By searching for an HTML string, it was possible for an attacker to add links or images to a page. It was really hard to contact them - but the threat of media attention…

Responsible Disclosure: SVG injection in Three.co.uk

by @edent | , , , , , | 4 comments | Read ~537 times.

The website has a circle drawn on it.

Here's a quick write-up of a minor XSS (Cross Site Scripting) vulnerability on the website of Three.co.uk - one of the UK's mobile providers. A brief recap... Most websites have a search function. If you search for something which cannot be found, the site will often say "No results found for XYZ." If we can…

Security issues on ArtChain

by @edent | , , , | 4 comments | Read ~4,508 times.

A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the…

Minimum Viable XSS

by @edent | , , | Read ~2,782 times.

Update! I now have an XSS which is only 18 characters! Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So…

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com

by @edent | , , , | Read ~380 times.

Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. Links removed, because the site has disappeared. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this…

Private Eye - Not As Clever As They Think They Are

by @edent | , , , | 2 comments | Read ~275 times.

Private Eye is the only "Dead Tree" publication I buy. I think its satire misses the mark more often than not - but its investigative journalism and general muck-raking are second to none. The Eye has reluctantly been drawn into the digital age. It has a piss-poor website run by the sort of "tired and…

Privacy and Security Flaw with CAB

by @edent | , | Read ~137 times.

The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking. Interesting new digital stuff emerging from @CitizensAdvice http://t.co/zvc0kcoj0A <-- uncomfortable, messy, visceral reality @mikedixonCAB — Tom Loosemore (@tomskitomski) October 21, 2014 who supplies my electricity why do some children become looked after will i…